Calling all hackers and security researchers: Google wants to pay you money. Quite a lot, in fact. The top prize for finding a new critical flaw in Android in the new Project Zero Prize competition is a whopping $200,000, with the second prize at $100,000 and $50,000 split among additional entrants. The contest is being run by Project Zero, the company's own internal team of security researchers that documents critical flaws and bugs in wide-reaching software.

But be aware, that prize doesn't go to any old run of the mill vulnerability. In order to be eligible, participants must find "a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address." That's a tall order, though it says that the researcher only needs to know the phone number and/or email address, not necessarily that they're limited to a dialer or email app as a point of insertion. Note that, because of the limitations in the contest, it's possible that no one will win in the allotted time.

Entrants need to send in their research in the form of an Android issue tracker report, then send in that annotated issue to the Project Zero team for consideration. Once winners are selected they'll be invited to write up their discoveries for the Project Zero blog. The competition is open for the next six months, so you have plenty of time to try to hack into your loved ones' phones.

Google's intent to fight hackers is to encourage them to hack Android with this contest? What if the hackers did find a flaw and ignored the contest rules, revealing the user's private information and having those creepy giggles all alone? They will obviously not mention this while on their way to the prize. I understand that Google is trying their best to find a flaw in the OS but this is not an appropriate way at all.

nachofrand

You're stupid and wrong.

SpadeX

Thanks for the input.

Declan Cross (DJ)

People do this anyway and plus that's alot of money

ASYOUTHIA✓ᵛᵉʳᶦᶠᶦᵉᵈ

Thats too much legwork to do to try to make more than the award. I'm going to steal all this info and then sell it for pennies per account to some other idiot when you can cash in big

SpadeX

Well, it's still not a safe thing, and it drives encouragement to hackers and also personal information such as credit card details has a high chance of being exposed and the hacker will be able to get away with this "legally AND with a prize.

ASYOUTHIA✓ᵛᵉʳᶦᶠᶦᵉᵈ

Hackers will hack, nothing will be 100% hack proof. It's just a very big incentive for them to do it the honest and legal way

SpadeX

So what now? We're all just gonna sit and wait for a hacker to get control over our phones and fetch a few details just because this is a "legal" contest and a means of finding problems rather than violation of privacy?

ASYOUTHIA✓ᵛᵉʳᶦᶠᶦᵉᵈ

Nope. You're going to go to the store, purchase some Reynolds Wrap and make a better tinfoil hat

You understand it's still illegal to hack into other people's devices right? This contest doesn't make it legal to do that. Hackers use their own devices to find vulnerabilities. This is called Pentesting. Look it up. No one's going to break into your device because of this contest.

SpadeX

Right, I haven't done research into this and you guys are correct. I'm really sorry. I haven't thought about it rationally and now I feel really stupid for posting these comments. Cheers.

They've done this with Chrome and Chrome OS for years. The result is that they have the most secure browser and OS on the planet.

SpadeX

I don't think you've understood what I was saying. If the hacker was able to get the user's phone number and email address then he may not stop there and get even more personal info, perhaps the user's social networks for the sake of stalking or even worse, credit card details. In addition to that, he will be able to win the contest prize without having to tell the other information that the hacker was able to get.

Believe it or not, some "hackers" actually just enjoy cracking into systems without any intention of criminal activity. They're the modern digital equivalent of locksmiths. Some of them earn a living solely from prizes like this, set up specifically for well-intentioned experts, or as security consultants.

I don't mean to belittle you, but you're not very informed on this topic. A company setting up a prize to hack into its own software is not unusual.

The main intent of this event is to make such type of hacks known to google so that they can fix it. Hackers will always get into systems and steal info. This type of events encourage them to do so and report it so that it will be fixed. Its better to strengthen security by fixing bugs then leaving them undiscovered.

Again related to your concern this type of events, generally security experts sit and try to hack into their own devices to find venerability and thus there very very less scenarios where they hack into other peoples handset. Often studying your device, its state and processes and all is very critical while performing a hack and you wont get this info if you target some random device. With your own device you might connect it to PC and debug and this tremendously helps discovering hack.

Apart from this there are hackers who uncover new bugs and are able to hack. They usually build some kind of tool or app or mechanism to put hack concept into hacking tool and this are already being sold in underground markets. Its all about money to them so Google is offering reward in hopes to catch this.

Amir

I disagree. I think the prize itself is a reason for hackers to go this way, instead of releasing private data. They wouldn't make that much money if they went the Black Hat way, at least not without repercussions.

Regarding hackers being able to disclose data while awaiting that prize: It's a lengthy and detailed process, executed by some of the best security experts in the world. Seeing a vulnerability might surprise/amaze that team, but I would assume it would be very hard to fool them.

TriguyRN

You are saying the contest, and therefore the prize money is motivation for people to hack the OS. If they were to use the exploit for malicious purposes, they would not win the prize money. So how does this contest affect anything in a negative way?

People hacking for fun will report an exploit for money, android security improves and the black hat side of hacking is unaffected, or swayed to trade a vulnerability for cash.

Michael McBride

Can I get odds in Vegas on JCase?

SIGTRAP

The restrictions are just so they can boast how "secure" Android is.

Amirreza Ahmadi

Contest rules: ...(3) are not a resident of Italy, Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan, or Crimea;
In other words, are not a true hacker :D

Rapper_skull

I understand all of them, but why Quebec and Italy?

Ryan J

You forgot Russia

Angel

Its probably due to be forbidden by law. Either in the US (where the group/company is register) or in the respective country.

herbdrank

And Quebec in typical fashion still pretends that it's a separate country

Edvinas Bačiulis

Google is going in a very good direction. Remember, google will make android a lot more secure + THEY HAVE ADVANTAGE and just read this: Do really people will know exactly what bug/flaw google is really looking for? NO, so in this case, when hackers will send some inaccurate bugs, google will take advantage and fix these bugs aswel even if it is out of the deal. I like this. Google is really changing their game now.